An Internet revolution has brought with it a new vehicle for property vandalism, financial theft, and corporate espionage on a scale unparalleled in human history. Organizations have placed significant attention towards Internet-based threats by installing security programs for uncovering and remediating vulnerabilities within the organization's infrastructure. A popular practice for identifying unknown risk and evaluating security posture is to simulate a real-world attack against the organization's infrastructure. This simulated attack is often referred to as a penetration test. Normally, a third party service provider is hired wherein the organization and the third party both agree that the third party will evaluate the security posture for a finite time and the organization will pay the third party a pre-negotiated set amount for the third party's effort without regard to third party's value creation. The value in this context is defined by a number and a severity of unknown vulnerabilities discovered.
However, a constant change in the organization's infrastructure, an unending release of new compromise techniques, and an unwavering number of intrusion attempts all warrant the need for a security assessment model that provides continuous and unending risk identification and remediation. Moreover, the cost of engaging the third party to perform the penetration testing on a continuous basis discourages this level of coverage.
In a prior art solution, a crowdsourcing based vulnerability detection system is used where a freelance workforce is used to receive continuous and ongoing vulnerability identification for the organization. Additionally, the crowdsourcing based vulnerability detection system charges a fee for service only after value, by way of a valid vulnerability submission, has been provided to the organization. However, in this solution, a signal-to-noise ratio of valid to invalid vulnerability submissions substantially increases due to a freelance workforce strategy of “spray and pray”. Using this strategy, a majority of the freelance workforce ignores program scope guidelines, deprioritizes the quality of their work, incorporates limited reproduction instructions, and provides low value submissions. While the organization is not required to pay for these submissions, the process of reviewing such submissions consumes the time and energy of the organization. Further, the signal-to-noise ratio is exacerbated by a fact that the crowdsourcing based vulnerability detection system were not designed with automation in mind. Instead and in one embodiment, a state of the art crowdsourcing based vulnerability detection system rely primarily on human intervention during a vulnerability triage process for validation submission identification and award. This triage effort is either performed by the organization itself or by the crowdsourcing company for an additional fee. Taken in concert, the triage and management process substantially increases the total cost of vulnerabilities detection for the organization.
In another embodiment, a state of the art crowdsourcing based vulnerability detection system addresses the signal-to-noise problem by either defining a business model that only supports vetted testers or by moving away from an open bug bounty project to a private and invite only, bug bounty project. However, such solutions defeat one of the two core promises of the crowdsourcing model—namely leveraging the law of large numbers by engaging a freelance community of testers to provide continuous coverage to participating organizations.
In addition, a US Patent Publication No. 2012/0239459 discloses crowdsourced competitions where a reward is given to a contestant who generates the highest quality product for a clearly defined set of objectives. Top Coder is another example of this type of competition. Organizations create competitions that request developers to create software products that meet certain functionality requirements. The developers submit their piece of code and a winner is chosen from the set of submissions. However, the existing solution does not leverage the crowd to identify an undefined number of vulnerabilities.
A US Patent Publication No. 2014/0173737 discloses a bug tracking application that takes vulnerability data provided by third parties, such as NIST (National Institute of Standards and Technology), and automatically generates issues to be tracked by developers. Each issue has a corresponding severity score to assist an organization in identifying those items that need to be addressed immediately. The vulnerability data processed by the application represents vulnerabilities that have already been identified and validated. However, the existing solution fails to assist organizations in identifying new vulnerabilities.
A U.S. Pat. No. 8,813,235 discloses use of vulnerability scanners to identify initial weaknesses in an application. Following the use of an automated scanner, the tester will attempt to manually identify additional vulnerabilities. However, the exiting solution fails to automatically validate the vulnerabilities as submitted by the testers.
A U.S. Pat. No. 8,499,353 discloses a process to improve code analysis, by integrating the results of both static and dynamic analysis. This is an automated process, similar to vulnerability scanners, that attempt to both identify and validate the existence of vulnerabilities. Organizations, including third-party security firms, will use code analysers to identify initial weaknesses in application code. Following the use of a code analyser, the testers will attempt to manually identify additional vulnerabilities. However, the existing solution fails to automatically validate the vulnerabilities as identified by the testers.
A U.S. Pat. No. 8,607,353 discloses a process for automating the detection of a security breach through pattern analysis. Security breaches are often a result of a malicious user exploiting a vulnerability in application software, resulting in unwanted application behaviour or the exposure of sensitive information. However, the existing solution does not disclose identification and validating of vulnerabilities as submitted by the testers.
A U.S. Pat. No. 9,178,903 discloses computer systems and methods which are configured to test the security of a server computer by simulating a wide range of attacks from one or more bot-nets which are a network of numerous computers distributed over a range of geographic regions. However, the patent requires a simulated environment of bot-nets and fails to disclose automatic validation of submissions made by consultant testers.
A U.S. Pat. No. 9,177,156 discloses “validating a report of the candidate security vulnerability of the particular system under test that is received from the particular researcher computer.” However, the solution corroborates the assertion that human intervention is leveraged at this critical stage and an internal “team” is performing manual validation of vulnerability submissions.
Therefore, in light of the foregoing discussion, there exists a need to provide a method and system for automatically validating the vulnerability submissions in the crowdsourcing environment.